this post was submitted on 20 Apr 2024
60 points (98.4% liked)

Privacy

32165 readers
849 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I have read quite a few posts about preventing account password takeover from various malicious ways, and many OPSEC measures are there to prevent it from happening.

Consider a case where you face a total blackout or technical failure. Now, you need to log in to your password manager, which requires either OTP on email or TOTP. You don't have access to the TOTP app because the backup is stored in cloud storage, whose email login also requires OTP.

How would you prevent such from happening?I haven't found a satisfactory solution or explanation for that yet.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 7 months ago

All my drives are encrypted and have an encrypted backup of 2FA, a whole bunch of drives and my phone would all have to fail at the same time. This is following 3-2-1 so not all are in the same place or running at the same time

I use veracrypt to make encrypted portable files that contain 2FA and I back them up to random cloud storage using simplelogin email accounts, no 2FA on these for this exact reason. I know my password manager passphrase but I also do the same thing with it as the 2FA file just on a different account.

If any of the accounts gets hijacked then all they have is a throwaway email and password for that account and a random tiny encrypted file.

My codes aren't labeled with the email that they are for, just the service, e.g Proton1, and the passphrase has no other information stored with it so even if they magically managed to decrypt either of the files and gain access to the codes/ passphrase they don't have any idea what accounts any of them are for.

Log in to a cloud storage -> download the file -> decrypt it -> add it to any compatible app -> login to the password manager